How could I fuzz a ios demo? #43
Description
My AFL++ has been compiled using the export CFLAGS="- DUSEMMAP=1" flag (because my iOS demo app is running on the xcode emulator, it should be in local mode on macOS)
git clone https://github.com/ttdennis/fpicker
cd fpicker
export CFLAGS="-DUSEMMAP=1"
make fpicker-macos
I want to fuzz a function on an iOS demo app now, but I still can't connect to the target app. The frida command will display the error 'Failed to attach: process is dead'.
➜ fpicker frida-ps -D local | grep "IOSTestDemo"
98235 IOSTestDemo
➜ fpicker frida -D local -p 98235
____
/ _ | Frida 17.2.15 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to Local System (id=local)
Failed to attach: process is dead
What should I do next? Is there a problem with my installation or is there an error in my operation?
By the way, when I tried to use the test network example in the project, the following error occurred
➜ fpicker frida-compile examples/test-network/test-network-fuzzer.js -o ./examples/test-network/harness.js
➜ fpicker afl-fuzz -i examples/test-network/in -o ./examples/test-network/out -- \
./fpicker --fuzzer-mode afl -e attach -p test-network -f ./examples/test-network/harness.js
afl-fuzz++4.33c based on afl by Michal Zalewski and a large online community
[+] AFL++ is maintained by Marc "van Hauser" Heuse, Dominik Maier, Andrea Fioraldi and Heiko "hexcoder" Eißfeldt
[+] AFL++ is open source, get it at https://github.com/AFLplusplus/AFLplusplus
[+] NOTE: AFL++ >= v3 has changed defaults and behaviours - see README.md
[+] No -M/-S set, autoconfiguring for "-S default"
[*] Getting to work...
[+] Using exploration-based constant power schedule (EXPLORE)
[+] Enabled environment variable AFL_NO_FORKSRV with value 1
[+] Enabled testcache with 50 MB
[+] Generating fuzz data with a length of min=1 max=1048576
[*] Checking CPU scaling governor...
[!] WARNING: Could not check CPU min frequency
[+] You have 14 CPU cores and 4 runnable tasks (utilization: 29%).
[+] Try parallel jobs - see /opt/homebrew/Cellar/afl++/4.33c/share/doc/afl/fuzzing_in_depth.md#c-using-multiple-cores
[*] Setting up output directories...
[+] Output directory exists but deemed OK to reuse.
[*] Deleting old session data...
[+] Output dir cleanup successful.
[*] Validating target binary...
[*] Scanning 'examples/test-network/in'...
[*] Creating hard links for all input files...
[+] Loaded a total of 2 seeds.
[*] Spinning up the fork server...
[*] Using AFL++ faux forkserver...
[!] WARNING: Old fork server model is used by the target, this still works though.
[+] All right - old fork server is up.
[*] No auto-generated dictionary tokens to reuse.
[*] Attempting dry run with 'id:000000,time:0,execs:0,orig:0'...
[-] The program took more than 1000 ms to process one of the initial test cases.
This is bad news; raising the limit with the -t option is possible, but
will probably make the fuzzing process extremely slow.
If this test case is just a fluke, the other option is to just avoid it
altogether, and find one that is less of a CPU hog.
[-] PROGRAM ABORT : Test case 'id:000000,time:0,execs:0,orig:0' results in a timeout
Location : perform_dry_run(), src/afl-fuzz-init.c:1013
Some version of tools I'm using
macOS 15.4.1 (arm64)
frida 17.2.15
frida-compile install with npm of latest version
Apple clang version 17.0.0 (clang-1700.0.13.5)